qemu/KVM/Xen: floppy driver allows VM escape ("VENOM" vulnerability, CVE-2015-3456)

This document (7016497) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP3)
SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Expanded Support 6 and 7
SUSE Cloud

Situation

Impact:

A vulnerability in the floppy disk driver of qemu, Xen, and KVM allows attackers with root privileges to escape from a virtual machine (guest) and access the host system.
The bug is not easy to exploit and might trigger crashes of the host system, that could be an indicator for an ongoing attack.

All currently supported versions of SUSE Linux Enterprise Server starting from SLES 10 SP3 up to and including SLE 12 as well as SUSE Linux Expanded Support 6 and 7 are affected by this vulnerability.
Since the problematic code is in qemu, all versions of Xen, qemu and KVM are affected.


Resolution

SUSE engineering is aware of the problem. 
Maintenance updates for all affected products are in preparation.

As of now, updates that fix the issue are available for:

SUSE Linux Enterprise Server 10 SP4 LTSS:

xen-3.2.3_17040_46-0.15.1


SUSE Linux Enterprise Server 11 SP1 LTSS:
kvm-0.12.5-1.26.1
xen-4.0.3_21548_18-0.21.1

SUSE Linux Enterprise Server 11 SP2 LTSS:
kvm-0.15.1-0.29.1
xen-4.1.6_08-0.11.1

SUSE Linux Enterprise Server 11 SP3:
kvm-1.4.2-0.22.27.1
xen-4.2.5_06-0.7.1

SUSE Linux Enterprise Server 12:
xen-4.4.2_04-18.1
qemu-2.0.2-46.1


qemu-kvm updates are available for SUSE Linux Enterprise Expanded Support 6 and 7 as well.

Registered systems can be patched with YaST2 or zypper or via SUSE Manager.
For
SUSE Linux Enterprise Expanded Support use "yum update" or get fixed packages from patchfinder manually.

Updates are available also via https://download.suse.com/patch/finder/

Updates for further products are in QA and follow soon.

This document gets updated once fixed packages are available.


Additional Information

Note: To fix the vulnerabilty after patching it is necessary to either

* power-cycle the VM after patching the host system

OR

* migrate the VM to an already patched host system.



for SUSE OpenStack Cloud this can be accomplished using live-migration

or with these commands:

. .openrc
nova list --all_tenants --status active |\
perl -ne "m/^[| ]*([0-9a-f-]+)/ && print \$1.' '" > active
for id in `cat active` ; do
nova suspend $id
while nova show $id | grep OS-EXT-STS:task_state.*suspending ; do
sleep 3
done
nova resume $id
done

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016497
  • Creation Date: 13-May-2015
  • Modified Date:28-Sep-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center